(3.231.226.13) 您好!臺灣時間:2020/05/27 01:40
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
本論文永久網址: 
line
研究生:蔡維泰
研究生(外文):Wei-tai Cai
論文名稱(外文):TRAP: A TCP Three-Way Handshake Server for TCP Connection Establishment
指導教授:許富皓
指導教授(外文):Fu-hao Hsu
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文出版年:2015
畢業學年度:103
語文別:英文
論文頁數:42
中文關鍵詞:通訊控制協定阻斷服務攻擊三方交握LinuxNetfilterTCP options
外文關鍵詞:TCPDoSThree-way HandshakeLinuxNetfilterTCP options
相關次數:
  • 被引用被引用:0
  • 點閱點閱:57
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
因為發起的門檻十分低,分散式阻斷服務攻擊(DDoS)在這幾年變得來越常見。於 2013 年,垃圾郵件防禦組織SpamHaus就遭受了來自全球各地高峰達到75Gbps的DDoS流量攻擊,而知名程式碼託管網站GitHub也於2015年3月遭受了經過中間人之DDoS放大攻擊。然而,即使TCP/IP的規格已經被公佈數十年之久,至今對於分散式阻斷服務攻擊依然沒有良好的防禦方式。

本篇論文嘗試透過 TCP設計時保留之option欄位,因一般進行SYN-flood之惡意客戶端不會嘗試完成TCP三方交握之程序,如果有一經過認證、合法的客戶端嘗試連線至正遭受SYN-flood分散式阻斷服務攻擊之伺服器,在完成三方交握之後,伺服器端會回傳一特定封包,其TCP封包檔頭之option欄位會包含有新伺服器的IP位置與祕密字串,合法客戶端連線至新伺服器時,新伺服器會檢查是否有包含此祕密字串,若是檢查通過才放行此SYN封包,允許建立連線。
Distributed denial of service (DDoS) attacks has become more and more frequent nowadays. In 2013, a massive DDoS attack was launched against Spamhaus, a non-profit anti-spam mail organization. Up to 75Gbps of DNS reflection traffic were directed to Spamhaus' servers, causing the service to shut down.

Although DDoS has been long around ever since the internet has become popular, no good solutions has been offered yet.

In this paper, we present a solution based on TCP redirection using TCP header options. When a legitimate client attempted to connect to a server undergoing an SYN-flood DDoS attack, it will try to initiate a TCP three-way handshake, after it has successfully established a connection, the server will reply with a RST packet, which a new server address and a secret is embedded in the TCP header options. The client can thus connect to the new server that only accepts SYN packets with the corrected secret using the supplied secret.
中文摘要 i
Abstract ii
Acknowledgements iii
Table of Contents iv
List of Figures vi
List of Tables vii
Chapter 1 Introduction 1
Chapter 2 Background 3
2.1 Transmission Control Protocol 3
2.2 Denial of Service Attacks 5
2.3 SYN Flood 5
2.4 TCP Options 7
2.5 Netfilter 8
Chapter 3 Related Work 11
3.1 SYN Cookie 11
3.2 SYN Proxy 13
Chapter 4 System Design 15
4.1 System Overview 15
4.2 System Implementation 19
Chapter 5 Evaluation 23
5.1 Lab Environment 23
5.2 Evaluation Results 24
5.3 Discussion 26
Chapter 6 Conclusion 27
References 28
M. Abu Rajab, J. Zarfoss, F. Monrose, et al., "A multifaceted approach to understanding the botnet phenomenon," in Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, 2006, pp. 41-52.
Kaspersky Lab. (2015, May 29). Statistics on botnet-assisted DDoS attacks in Q1 2015 [Online]. Available: https://securelist.com/blog/research/70071/statistics-on-botnet-assisted-ddos-attacks-in-q1-2015/
M. Prince (2013, Mar. 20). The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) [Online]. Available: https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
R. Graham (2015, Apr. 01) Pin-pointing China's attack against GitHub [Online]. Available: http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html
RFC 793 - Transmission Control Protocol [Online]. Available: https://tools.ietf.org/html/rfc793
J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 39-53, 2004.
Juniper Networks, Inc. Understanding Teardrop Attacks [Online]. Available: https://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-teardrop-attacks.html
L. Miao, W. Ding, and J. Gong, "A real-time method for detecting internet-wide SYN flooding attacks," in Local and Metropolitan Area Networks (LANMAN), 2015 IEEE International Workshop on, 2015, pp. 1-6.
Transmission Control Protocol (TCP) Parameters [Online]. Available: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1
P. Salzman (2007, May 18). The Linux Kernel Module Programming Guide [Online]. Available: http://www.tldp.org/LDP/lkmpg/2.6/html/lkmpg.html#AEN40
Netfilter Architecture [Online]. Available: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
J. Lemon, "Resisting SYN Flood DoS Attacks with a SYN Cache," in BSDCon, 2002, pp. 89-97.
H. Jin, D. Tang, Y. Zhang, and H. Chen, "SHAK: eliminating faked three-way handshaking in socket handoff," in Parallel and Distributed Processing Symposium, 2004. Proceedings. 18th International, 2004, p. 184.
W. Tang, L. Cherkasova, L. Russell et al., "Modular TCP Handoff Design in STREAMS–Based TCP/IP Implementation," in Networking—ICN 2001, ed: Springer, 2001, pp. 71-81.
Z. Wu and Z. Chen, "A three-layer defense mechanism based on web servers against distributed denial of service attacks," in Communications and Networking in China, 2006. ChinaCom'06. First International Conference on, 2006, pp. 1-5.
P. McHardy. (2013, Aug. 7). netfilter: implement netfilter SYN proxy [Online]. Available: https://lwn.net/Articles/563151/
Hping - Active Network Security Tool [Online]. Available: http://www.hping.org
電子全文 電子全文(網際網路公開日期:20200630)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔